Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I clean now


  • This topic is locked This topic is locked
5 replies to this topic

#1 Nichan02301

Nichan02301

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 03 September 2011 - 09:26 PM

Hi

I've got an XP Media Center Computer running SP2 that was infected with Security Protection

I booted into safe mode and ran

Tdsskiller

Rkill

Malwarebytes

Rebooted but now it seems I also am infected with Rootkit Zeroaccess

What other steps can I take to resolve these issues. The computer is scheduled to leave with my son for college on Monday.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:11 AM

Posted 03 September 2011 - 09:38 PM

Can you post the logs from Malwarebytes and TDSSKiller?

#3 Nichan02301

Nichan02301
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 03 September 2011 - 10:00 PM

Hi

Thank you for your time, I had renamed defender.exe to xnomore.bat in order to run tdsskiller, rkill and mbam

The requested files are attached.

2011/09/03 19:48:28.0515 0124 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/03 19:48:28.0625 0124 ================================================================================
2011/09/03 19:48:28.0625 0124 SystemInfo:
2011/09/03 19:48:28.0625 0124
2011/09/03 19:48:28.0625 0124 OS Version: 5.1.2600 ServicePack: 2.0
2011/09/03 19:48:28.0625 0124 Product type: Workstation
2011/09/03 19:48:28.0625 0124 ComputerName: L-CC16F19A92484
2011/09/03 19:48:28.0625 0124 UserName: Administrator
2011/09/03 19:48:28.0625 0124 Windows directory: C:\WINDOWS
2011/09/03 19:48:28.0625 0124 System windows directory: C:\WINDOWS
2011/09/03 19:48:28.0625 0124 Processor architecture: Intel x86
2011/09/03 19:48:28.0625 0124 Number of processors: 1
2011/09/03 19:48:28.0625 0124 Page size: 0x1000
2011/09/03 19:48:28.0625 0124 Boot type: Safe boot with network
2011/09/03 19:48:28.0625 0124 ================================================================================
2011/09/03 19:48:30.0656 0124 Initialize success
2011/09/03 19:48:33.0187 0192 ================================================================================
2011/09/03 19:48:33.0187 0192 Scan started
2011/09/03 19:48:33.0187 0192 Mode: Manual;
2011/09/03 19:48:33.0187 0192 ================================================================================
2011/09/03 19:48:34.0656 0192 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/03 19:48:34.0828 0192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/03 19:48:35.0140 0192 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/09/03 19:48:35.0328 0192 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
2011/09/03 19:48:36.0062 0192 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/09/03 19:48:36.0281 0192 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/03 19:48:36.0437 0192 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/03 19:48:36.0718 0192 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/03 19:48:36.0937 0192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/03 19:48:37.0093 0192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/03 19:48:37.0312 0192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/03 19:48:37.0515 0192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/03 19:48:37.0703 0192 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/03 19:48:37.0828 0192 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/03 19:48:38.0625 0192 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
2011/09/03 19:48:38.0890 0192 dd20f419 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\435429597:585042918.exe
2011/09/03 19:48:40.0687 0192 Suspicious file (Hidden): C:\WINDOWS\435429597:585042918.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/09/03 19:48:40.0718 0192 dd20f419 - detected HiddenFile.Multi.Generic (1)
2011/09/03 19:48:40.0937 0192 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/03 19:48:41.0125 0192 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/03 19:48:41.0375 0192 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/03 19:48:41.0531 0192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/03 19:48:41.0703 0192 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/03 19:48:42.0000 0192 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/03 19:48:42.0171 0192 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/03 19:48:42.0453 0192 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/03 19:48:42.0640 0192 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/03 19:48:42.0781 0192 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/03 19:48:42.0968 0192 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/03 19:48:43.0109 0192 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/03 19:48:43.0312 0192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/03 19:48:43.0531 0192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/03 19:48:43.0781 0192 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/03 19:48:43.0921 0192 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/03 19:48:44.0234 0192 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/03 19:48:44.0421 0192 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/03 19:48:44.0609 0192 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/03 19:48:44.0765 0192 HTTP (261bf53e1d1c21f04b4e748a6ed3d055) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/03 19:48:45.0171 0192 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/03 19:48:45.0484 0192 Imapi (ad5e8a6c823f24882a6826d7dbccf4a3) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/03 19:48:45.0968 0192 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/03 19:48:46.0062 0192 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/03 19:48:46.0281 0192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/03 19:48:46.0421 0192 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/03 19:48:46.0593 0192 IpNat (472c75f85e631f8aa87d21c9fee6238d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/03 19:48:46.0765 0192 IPSec (518d980950174fead090b4d1a62f2e17) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/03 19:48:46.0765 0192 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 518d980950174fead090b4d1a62f2e17, Fake md5: 64537aa5c003a6afeee1df819062d0d1
2011/09/03 19:48:46.0796 0192 IPSec - detected Rootkit.Win32.ZAccess.c (0)
2011/09/03 19:48:46.0906 0192 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/03 19:48:47.0078 0192 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/03 19:48:47.0312 0192 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/03 19:48:47.0500 0192 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/03 19:48:47.0671 0192 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/03 19:48:47.0843 0192 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/03 19:48:48.0296 0192 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/03 19:48:48.0468 0192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/03 19:48:48.0625 0192 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/03 19:48:48.0859 0192 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/03 19:48:49.0000 0192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/03 19:48:49.0203 0192 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/03 19:48:49.0453 0192 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/03 19:48:49.0703 0192 MRxSmb (3500e756812e716351f2d341ae1d5623) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/03 19:48:49.0953 0192 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/03 19:48:50.0125 0192 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/03 19:48:50.0281 0192 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/03 19:48:50.0421 0192 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/03 19:48:50.0609 0192 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/03 19:48:50.0781 0192 Mup (79a9c030299e8cc04f18d0765155d902) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/03 19:48:51.0015 0192 N100 (c7eb926899ff4575b630087ea4c7af61) C:\WINDOWS\system32\DRIVERS\n100325.sys
2011/09/03 19:48:51.0187 0192 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/03 19:48:51.0406 0192 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/03 19:48:51.0531 0192 Ndisuio (f08bd495ba387229606d015cb4f459c9) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/03 19:48:51.0750 0192 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/03 19:48:51.0890 0192 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/03 19:48:52.0156 0192 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/03 19:48:52.0312 0192 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/03 19:48:52.0531 0192 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/03 19:48:52.0734 0192 Ntfs (05ab81909514bfd69cbb1f2c147cf6b9) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/03 19:48:53.0031 0192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/03 19:48:53.0265 0192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/03 19:48:53.0406 0192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/03 19:48:53.0625 0192 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/09/03 19:48:53.0750 0192 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/09/03 19:48:53.0890 0192 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/09/03 19:48:54.0109 0192 NWRDR (bbbc2e555bb5e4adbaeb1447f11c68c9) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/09/03 19:48:54.0359 0192 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/03 19:48:54.0531 0192 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/03 19:48:54.0671 0192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/03 19:48:54.0859 0192 PCI (de1d9a5d50166a6d8a51daa936fc56a4) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/03 19:48:55.0140 0192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/03 19:48:55.0328 0192 Pcmcia (36458ab24389af198194f73b9c6db8fe) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/03 19:48:56.0437 0192 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/03 19:48:56.0562 0192 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/03 19:48:56.0640 0192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/03 19:48:56.0812 0192 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/03 19:48:57.0234 0192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/03 19:48:57.0421 0192 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/03 19:48:57.0578 0192 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/03 19:48:57.0687 0192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/03 19:48:57.0890 0192 Rdbss (ed375ce745c42a14f10753f7022ecd6a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/03 19:48:58.0078 0192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/03 19:48:58.0250 0192 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/03 19:48:58.0437 0192 RDPWD (047bea21274c8a4a233674a76c958c2c) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/03 19:48:58.0625 0192 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/03 19:48:58.0968 0192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/03 19:48:59.0187 0192 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/09/03 19:48:59.0437 0192 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/03 19:48:59.0562 0192 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/03 19:48:59.0703 0192 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/03 19:49:00.0015 0192 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/09/03 19:49:00.0390 0192 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/03 19:49:00.0578 0192 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/03 19:49:00.0812 0192 Srv (d4af9861c3b6a2163d26dc6b9cf05e2a) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/03 19:49:01.0046 0192 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/09/03 19:49:01.0250 0192 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/03 19:49:01.0484 0192 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/03 19:49:02.0031 0192 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/03 19:49:02.0296 0192 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/03 19:49:02.0531 0192 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/03 19:49:02.0671 0192 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/03 19:49:02.0859 0192 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/03 19:49:03.0171 0192 Udfs (5468714efdcc70e24981e5874b5a6ce5) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/03 19:49:03.0484 0192 UnlockerDriver5 (28cd05b9e54a11f08e3968ccc8f45002) C:\Program Files\Unlocker\UnlockerDriver5.sys
2011/09/03 19:49:03.0687 0192 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/03 19:49:03.0968 0192 usbccgp (dd0b8c7b96107cbf8f70201a6ef7156e) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/03 19:49:04.0140 0192 usbehci (b0d7020386c7187ef9c5a9643f289cd3) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/03 19:49:04.0312 0192 usbhub (b928132426e65558a2252e351a3e12db) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/03 19:49:04.0546 0192 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/03 19:49:04.0687 0192 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/03 19:49:04.0859 0192 USBSTOR (d31343bc16e50ad3b639e7d8d2639816) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/03 19:49:05.0031 0192 usbuhci (ff6e4fdeb82dc228efa490336409c6bd) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/03 19:49:05.0171 0192 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/09/03 19:49:05.0437 0192 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/03 19:49:05.0718 0192 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/03 19:49:05.0859 0192 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/03 19:49:06.0218 0192 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/03 19:49:06.0453 0192 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR4
2011/09/03 19:49:06.0515 0192 Boot (0x1200) (431c1e69f0128e5ebc729bfed4351153) \Device\Harddisk0\DR0\Partition0
2011/09/03 19:49:06.0546 0192 Boot (0x1200) (0dcc480aa3b89113d67498a7784c3af0) \Device\Harddisk1\DR4\Partition0
2011/09/03 19:49:06.0578 0192 ================================================================================
2011/09/03 19:49:06.0578 0192 Scan finished
2011/09/03 19:49:06.0578 0192 ================================================================================
2011/09/03 19:49:06.0640 0184 Detected object count: 2
2011/09/03 19:49:06.0640 0184 Actual detected object count: 2
2011/09/03 19:49:41.0968 0184 HKLM\SYSTEM\ControlSet001\services\dd20f419 - will be deleted after reboot
2011/09/03 19:49:41.0984 0184 HKLM\SYSTEM\ControlSet002\services\dd20f419 - will be deleted after reboot
2011/09/03 19:49:42.0000 0184 C:\WINDOWS\435429597:585042918.exe - will be deleted after reboot
2011/09/03 19:49:42.0000 0184 HiddenFile.Multi.Generic(dd20f419) - User select action: Delete
2011/09/03 19:49:42.0203 0184 IPSec (518d980950174fead090b4d1a62f2e17) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/03 19:49:42.0203 0184 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 518d980950174fead090b4d1a62f2e17, Fake md5: 64537aa5c003a6afeee1df819062d0d1
2011/09/03 19:49:45.0937 0184 Backup copy found, using it..
2011/09/03 19:49:45.0968 0184 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2011/09/03 19:49:45.0968 0184 Rootkit.Win32.ZAccess.c(IPSec) - User select action: Cure
2011/09/03 19:50:10.0765 0116 Deinitialize success


Mbam

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13

9/3/2011 5:10:44 PM
mbam-log-2011-09-03 (17-10-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 184514
Time elapsed: 1 hour(s), 34 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt (Heuristics.Shuriken) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\i8042prt.sys (Heuristics.Shuriken) -> No action taken.
c:\documents and settings\administrator\my documents\downloads\removewga.exe (PUP.RemoveWGA) -> No action taken.
c:\documents and settings\all users\application data\xnomore.bat (Trojan.Agent) -> No action taken.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:11 AM

Posted 03 September 2011 - 10:17 PM

Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#5 Nichan02301

Nichan02301
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 03 September 2011 - 11:11 PM

Hi

Thanks, I run the requested files and attached them to the following new thread http://www.bleepingcomputer.com/forums/topic417344.html

#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:11 PM

Posted 03 September 2011 - 11:38 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users